NVD Vulnerability Detail

CVE-2020-15159

Summary	baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file.The affected components are ThemeFilesController.php and UploaderFilesController.php. This is fixed in version 4.3.7.
Publication Date	Aug. 29, 2020, 7:15 a.m.
Registration Date	Jan. 26, 2021, 11:53 a.m.
Last Update	Nov. 21, 2024, 2:04 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:basercms:basercms::::::::			4.3.6

Related information, measures and tools

No	URL	タグ
1	https://basercms.net/security/20200827	Vendor Advisory
2	https://basercms.net/security/20200827	Vendor Advisory
3	https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d	Patch Third Party Advisory
4	https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d	Patch Third Party Advisory
5	https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw	Patch Third Party Advisory
6	https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw	Patch Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

baserCMS におけるクロスサイトスクリプティングの脆弱性

Title	baserCMS におけるクロスサイトスクリプティングの脆弱性
Summary	baserCMS には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 27, 2020, midnight
Registration Date	Jan. 7, 2021, 5:44 p.m.
Last Update	Jan. 7, 2021, 5:44 p.m.

Affected System

baserCMSユーザー会

baserCMS 4.3.6 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-15159	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15159
National Vulnerability Database (NVD)
2	CVE-2020-15159	https://nvd.nist.gov/vuln/detail/CVE-2020-15159

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
BaserCMS
1	2020/08/27 コードインジェクション、XSSの脆弱性	https://basercms.net/security/20200827
GitHub
2	Cross Site Scripting (XSS) and Remote Code Execution (RCE)	https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
3	Merge pull request from GHSA-673x-f5wx-fxpw	https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66d

Change Log

No	Changed Details	Date of change
1	[2021年01月07日] 掲載	Jan. 7, 2021, 5:44 p.m.